Forums

Resolved
0 votes
In our environment (ClearOS 7.3) the proxy server is set to transparent mode, which means the client computers can access the internet without configuring any local proxy server settings. However we are noticing that if the proxy server settings are set to serverip:8080 in the client computers, they are still able to access the net. To avoid this, we thought of changing the default port 8080 to something else. So in /etc/dansguardian-av/dansguardian.conf, we changed the value of filterport setting from 8080 to something else. With this we are finding that the client computers are not able to access the net without specifying the proxy server setting as serverip:newport. Our understanding is that when the proxy is in transparent mode, the client computers should be able to access the internet without configuring local proxy server settings. And it works that way with filterport set to 8080, however if we change the filterport value to something else, it just doesnt work. Any idea what could be going on? Or is it that its not the filterport, but some other setting that we need to change to achieve our intention...

Looking forward to your thoughts..
Sunday, June 11 2017, 08:20 AM
Share this post:
Responses (1)
  • Accepted Answer

    Sunday, June 11 2017, 12:33 PM - #Permalink
    Resolved
    0 votes
    It is because iptables (the firewall) is used to redirect internet-bound traffic to serverip:3128. Have a look in the listing from "iptables -nvL PREROUTING -t nat". If you change your listening port you'll need to add your own firewall rule. have a look at https://www.clearos.com/resources/documentation/clearos/content:en_us:7_ug_web_proxy]this doc[/url]. Using a proxy port of 8080 goes to the content filter. The content filter should then feed the proxy (I think). If you are not using the content filter, you can block access to it but you have to cheat and redirect traffic to a non-existent IP:
    iptables -I PREROUTING -t nat -p tcp --dport 8080 -j DNAT --to-address your_LAN_base_address_ending_in_0
    Instead of your_LAN_base_address_ending_in_0 you could use any private IP address not in your network. If you are doing a custom firewall rule, replace "iptables" with "$IPTABLES".

    I need to research it a bit more but these days, with so many web sites using https, I am not sure what using the transparent proxy brings as it only filters http.
    The reply is currently minimized Show
Your Reply